RE: mutiple phase 1 tunnel and proxy ID issues

[Roy Pereira <rpereira@TimeStep.com>]

For a mobile client, its phase 1 ID will be something like an email
address since its IP address is not static.  For its phase 2 ID though,
it will need to send an IP address.  This IP address is its dynamically
assigned IP address that it recieved through PPP, DHCP, ISAKMP-CFG or
any other means.  The trick is that the gateway must be able to remember
the phase 1 ID to get policy for the phase 2 negotiation.

Although, not in any internet draft, I really don't believe that all ID
types are valid for phase 1 and phase 2.  Phase 1, for instance, doesn't
really support subnets and ranges.  While phase 2 doesn't really support
email, DN & GN. 

> I totally agree what you have replied in the mail.  Actually
> my question is that if user name instead of IP address is
> used in the ID payload of phase 2 negotiation, even if
>  a Phase 2 SA is negotiated successfully, we cannot
> create a SPD entry since user ID cannot be used to
> process packet. We need to turn that ID into address
> in order to create a SPD entry. But I am not sure how
> to map that ID into an IP address. This is a practical case
> when two mobile user logs into two different ISP box,
> get a dynamic address and they want to have their
> data traffic protected. The ISP boxes's policy can only be
> configured with the mobile user's ID, since their
> address are dynamically assigned. The ISP boxes
> can negotiate a Phase 2 SA with ID, but then they
> somehow need to exchange user ID to IP address
> mapping to each other. Otherwise SPD entry can not be
> created.